>>>>> "Black," == Black, David <[email protected]> writes:
Black,> I would strongly suggest that the draft express the
Black,> difference between securing NVO3 control functionality (VN
Black,> configuration, attach, detach - NVE-NVA and
Black,> NVE-server/hypervisor/end-device communication) and securing
Black,> VN traffic among NVEs (security signaling in/for the data
Black,> plane).
I agree.
We've been trying to separate data plane from control plane security,
and getting to a point where this is complete is desirable.
That said, I think it's important that our solution provide
comprehensive security for both.
The reason I think separation is important is that the tradeoffs in
deployment are different.
It may be the case that there end up being lower implementation
requirements for the data plane security, although in this world of
passive attacks, I actully think even data plane security ought to be
MUST implement.
However, more people will deploy control plane security, and that's a
reasonable deployment choice we should support.
--Sam
_______________________________________________
nvo3 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nvo3
